user_params = params[:user] || {}
@user = User.new
@user.safe_attributes = user_params
- @user.pref.attributes = params[:pref] if params[:pref]
+ @user.pref.safe_attributes = params[:pref]
@user.admin = false
@user.register
if session[:auth_source_registration]
@user = User.current
@pref = @user.pref
if request.post?
- @user.safe_attributes = params[:user] if params[:user]
- @user.pref.attributes = params[:pref] if params[:pref]
+ @user.safe_attributes = params[:user]
+ @user.pref.safe_attributes = params[:pref]
if @user.save
@user.pref.save
set_language_if_valid @user.language
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false)
@user.safe_attributes = params[:user]
@user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id
- @user.pref.attributes = params[:pref] if params[:pref]
+ @user.pref.safe_attributes = params[:pref]
if @user.save
Mailer.account_information(@user, @user.password).deliver if params[:send_information]
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class UserPreference < ActiveRecord::Base
+ include Redmine::SafeAttributes
+
belongs_to :user
serialize :others
before_save :set_others_hash
+ safe_attributes 'hide_mail',
+ 'time_zone',
+ 'comments_sorting',
+ 'warn_on_leaving_unsaved',
+ 'no_self_notified'
+
def initialize(attributes=nil, *args)
super
if new_record? && !(attributes && attributes.key?(:hide_mail))